HP-UX Directory Server 8.1 administrator guide

12.7.3 Editing the certmap.conf file
1. In a text editor, open /etc/opt/dirsrv/slapd-instance/certmap.conf
2. If necessary, make changes to the default mapping.
For example, change the value for DNComps or FilterComps. To comment out a line, insert
a # before it.
3. If desired, create a mapping for a specific CA.
The mapping should take the form certmap mappingName issuerDN.
For example, to create a mapping named Example CA that has the issuer DN ou=example
CA, o=example, c=US, enter the following:
certmap Example CA ou=example CA, o=example, c=US
4. Add property settings for a specific CA's mapping.
Specify the Library and InitFn properties before adding any additional properties.
When adding a property, use the form mappingName:propertyName value.
For example, add a DNComps value of o, c for Example CA by entering the following line:
example CA:DNComps o, c
For the Library and InitFn properties, a complete mapping looks like this:
certmap Example CA ou=example CA, o=example, c=US
Example CA:Library /ldapserver/ldap/servers/slapd/plugin.c
Example CA:InitFn plugin_init_dn
Example CA:DNComps o, c
Example CA:FilterComps e, uid
Example CA:VerifyCert on
Example CA:CmapLdapAttr certSubjectDN
5. Save the certmap.conf file.
12.7.4 Example certmap.conf mappings
In Example 12-1 “Default mapping”, the server starts its search at the directory branch point
containing the entry ou=organizationalUnit, o=organization, c=country, where the
italics represent values from the subject's DN in the client certificate.
Example 12-1 Default mapping
certmap default default
default:DNComps ou, o, c
default:FilterComps e, uid
default:verifycert on
The server then uses the values for e (email address) and uid (user ID) from the certificate to
search for a match in the directory before authenticating the user. When it finds a matching entry,
the server verifies the certificate by comparing the certificate the client sent to the certificate
stored in the directory.
Example 12-2 An additional mapping” shows the contents of a sample certmap.conf file that
defines a default mapping as well as a mapping for MyCA:
12.7 Using certificate-based authentication 495